[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLfZdmk18QJVtgrP0WJyrvW7g7qVfdkMukl6AeREyrYU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-0725","integrate-dynamics-365-crm-authenticated-administrator-stored-cross-site-scripting-via-field-mapping-configuration","Integrate Dynamics 365 CRM \u003C= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration","The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","integrate-dynamics-365-crm",null,"\u003C=1.1.1","1.1.2","medium",4.4,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-16 19:47:08","2026-01-17 08:24:31",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6b16028a-0b69-422b-9471-32ea6edb93a0?source=api-prod",1,[],"researched",false,3,"This research plan outlines the process for investigating and exploiting **CVE-2026-0725**, a Stored Cross-Site Scripting (XSS) vulnerability in the **Integrate Dynamics 365 CRM** plugin.\n\n---\n\n### 1. Vulnerability Summary\nThe **Integrate Dynamics 365 CRM** plugin (\u003C= 1.1.1) fails to properly sanitize and escape field mapping configurations within its administrative settings. An attacker with Administrator-level privileges can inject arbitrary JavaScript into these configuration fields. Because the plugin displays these configurations on the settings page without sufficient output escaping, the script executes whenever an administrator (or any user accessing the mapping settings) views the page.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** The vulnerability is likely located within the plugin's administrative settings menu, specifically the \"Field Mapping\" section.\n*   **Vulnerable Action:** Saving or updating the field mapping configuration. This typically involves a `POST` request to `wp-admin\u002Foptions.php` (if using the Settings API) or `wp-admin\u002Fadmin-ajax.php` (if using a custom AJAX handler).\n*   **Vulnerable Parameter:** Parameters related to mapping labels, CRM field names, or WordPress field keys (e.g., `mapping_label`, `crm_field`, etc.).\n*   **Authentication:** Requires **Administrator** or higher privileges (`manage_options` capability).\n*   **Preconditions:** The plugin must be active and the attacker must have access to the plugin's settings page.\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** The administrator navigates to the plugin's settings page, typically registered via `add_menu_page` or `add_submenu_page` with a slug like `integrate-dynamics-365-crm-settings`.\n2.  **Data Submission:** The user submits a form to save field mappings. \n    *   If using Settings API: `admin-init` hook calls `register_setting()`.\n    *   If using AJAX: `wp_ajax_save_mapping` (inferred) is triggered.\n3.  **Storage:** The plugin calls `update_option('dynamics_crm_mappings', ...)` (inferred) without using `sanitize_text_field()` or `wp_kses()` on the mapping attributes.\n4.  **Retrieval & Sink:** When the settings page is reloaded, the plugin calls `get_option('dynamics_crm_mappings')`. The retrieved data is echoed into the HTML (e.g., inside an `\u003Cinput>` value attribute or a `\u003Ctd>` cell) without using `esc_attr()` or `esc_html()`.\n\n### 4. Nonce Acquisition Strategy\nSince this is an administrative settings vulnerability, a WordPress nonce will be required to authorize the `POST` request.\n\n1.  **Identify the Page:** Navigate to the Field Mapping page (likely `wp-admin\u002Fadmin.php?page=integrate-dynamics-365-crm-mappings` (inferred)).\n2.  **Locate Nonce:** Use `browser_navigate` to load the settings page.\n3.  **Extract Nonce:** Use `browser_eval` to find the nonce field in the form.\n    *   Common identifiers for settings forms: `document.querySelector('input[name=\"_wpnonce\"]')?.value`.\n    *   If AJAX-based: Look for localized objects, e.g., `window.dynamics_crm_settings?.nonce`.\n\n### 5. Exploitation Strategy\nThe goal is to inject a payload that executes when the settings page is viewed.\n\n**Step 1: Discover the Mapping Endpoint**\nThe agent must first find the exact menu slug and the form structure.\n*   `wp admin-menu list`\n*   `browser_navigate` to the mapping page and inspect the HTML form attributes (ID, Action, Method).\n\n**Step 2: Craft the Payload**\nSince the payload is likely rendered inside an input field or a table:\n*   `\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>`\n*   `\" onmouseover=\"alert(1)`\n\n**Step 3: Execute the Injection**\nSubmit the malicious configuration via `http_request`.\n*   **URL:** `https:\u002F\u002F[target]\u002Fwp-admin\u002Foptions.php` (or the identified AJAX endpoint).\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body (Inferred):**\n    ```\n    option_page=dynamics_crm_settings_group&\n    action=update&\n    _wpnonce=[EXTRACTED_NONCE]&\n    dynamics_crm_mappings[0][label]=\u003Cscript>alert(1)\u003C\u002Fscript>&\n    dynamics_crm_mappings[0][wp_field]=user_login&\n    dynamics_crm_mappings[0][crm_field]=contactid\n    ```\n\n**Step 4: Trigger the XSS**\nNavigate back to the field mapping settings page using `browser_navigate`.\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `integrate-dynamics-365-crm` version 1.1.1 is installed and active.\n2.  **User:** Create an administrator user.\n3.  **Plugin Setup (If required):** Some CRM plugins require a dummy API key or URL to be saved before the mapping section becomes accessible. Use `wp option update` to set a dummy CRM endpoint if needed.\n\n### 7. Expected Results\n*   The `POST` request should return a `302 Redirect` (Settings API) or a `200 OK` (AJAX).\n*   When navigating to the settings page, the browser should trigger the `alert(document.domain)` popup.\n*   The HTML source of the page should contain the raw, unescaped payload within the mapping configuration table or form.\n\n### 8. Verification Steps\n1.  **Check Database:** Use WP-CLI to verify the payload is stored.\n    *   `wp option get dynamics_crm_mappings --format=json` (Verify the injected string exists in the output).\n2.  **Verify Context:** Check if the XSS is limited to the Admin dashboard (Self-XSS) or if it propagates to public-facing forms (e.g., a shortcode-generated lead form).\n    *   `grep -r \"get_option.*dynamics_crm_mappings\" .` to see if the mappings are used in the frontend.\n\n### 9. Alternative Approaches\n*   **CSRF Chain:** If the nonce check is weak or missing (unlikely for admin settings but possible), the XSS could be delivered via a CSRF attack against an administrator.\n*   **Attribute Breakout:** If `esc_html` is used but `esc_attr` is not, try breaking out of a value attribute: `value='[PAYLOAD]'` using `' onclick='alert(1)`.\n*   **JSON Breakout:** If the settings are localized into a script block via `wp_localize_script`, use `\";alert(1);\u002F\u002F` to break out of the JavaScript variable assignment.","The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its Field Mapping configuration settings. Authenticated administrators can inject arbitrary JavaScript into mapping labels or field names, which is then executed when any administrator views the plugin's settings page due to a lack of input sanitization and output escaping.","\u002F* Inferred from the research plan and vulnerability description *\u002F\n\n\u002F\u002F Rendering logic in settings page (no escaping)\n$mappings = get_option('dynamics_crm_mappings');\nforeach ($mappings as $index => $mapping) {\n    echo '\u003Ctr>';\n    echo '\u003Ctd>\u003Cinput type=\"text\" name=\"dynamics_crm_mappings[' . $index . '][label]\" value=\"' . $mapping['label'] . '\">\u003C\u002Ftd>';\n    echo '\u003C\u002Ftr>';\n}\n\n---\n\n\u002F\u002F Saving logic (no sanitization)\nif (isset($_POST['dynamics_crm_mappings'])) {\n    update_option('dynamics_crm_mappings', $_POST['dynamics_crm_mappings']);\n}","--- a\u002Fintegrate-dynamics-365-crm\u002Fadmin\u002Fsettings.php\n+++ b\u002Fintegrate-dynamics-365-crm\u002Fadmin\u002Fsettings.php\n@@ -10,7 +10,7 @@\n  foreach ($mappings as $index => $mapping) {\n      echo '\u003Ctr>';\n-     echo '\u003Ctd>\u003Cinput type=\"text\" name=\"dynamics_crm_mappings[' . $index . '][label]\" value=\"' . $mapping['label'] . '\">\u003C\u002Ftd>';\n+     echo '\u003Ctd>\u003Cinput type=\"text\" name=\"dynamics_crm_mappings[' . $index . '][label]\" value=\"' . esc_attr($mapping['label']) . '\">\u003C\u002Ftd>';\n      echo '\u003C\u002Ftr>';\n  }\n \n@@ -25,5 +25,9 @@\n  if (isset($_POST['dynamics_crm_mappings']) && check_admin_referer('dynamics_crm_save_settings')) {\n-     update_option('dynamics_crm_mappings', $_POST['dynamics_crm_mappings']);\n+     $sanitized_mappings = array();\n+     foreach ($_POST['dynamics_crm_mappings'] as $mapping) {\n+         $sanitized_mappings[] = array_map('sanitize_text_field', $mapping);\n+     }\n+     update_option('dynamics_crm_mappings', $sanitized_mappings);\n  }","1. Authenticate as a WordPress user with Administrator privileges (required to access 'manage_options' sections).\n2. Navigate to the Integrate Dynamics 365 CRM plugin settings, specifically the 'Field Mapping' section (usually under wp-admin\u002Fadmin.php?page=integrate-dynamics-365-crm-mappings).\n3. Capture the required security nonce from the settings form HTML (e.g., the value of the _wpnonce input field).\n4. Submit a POST request to the settings update endpoint (likely wp-admin\u002Foptions.php or a custom admin-ajax.php handler).\n5. In the payload, set a mapping label or field name parameter (e.g., dynamics_crm_mappings[0][label]) to an XSS payload like: \">\u003Cscript>alert(document.domain)\u003C\u002Fscript>.\n6. Once the settings are saved, navigate back to the mapping configuration page. The browser will execute the injected script when it renders the unescaped value inside the HTML input attribute.","gemini-3-flash-preview","2026-05-05 06:55:15","2026-05-05 06:56:23",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","1.1.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fintegrate-dynamics-365-crm\u002Ftags\u002F1.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fintegrate-dynamics-365-crm.1.1.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fintegrate-dynamics-365-crm\u002Ftags\u002F1.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fintegrate-dynamics-365-crm.1.1.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fintegrate-dynamics-365-crm\u002Ftags"]